Intercept Flows and checking raw LDAP attributes

Cantor, Scott cantor.2 at
Mon Aug 3 19:27:37 EDT 2015

On 8/3/15, 7:20 PM, "users on behalf of Jeffrey Crawford" <users-bounces at on behalf of jeffreyc at> wrote:

>I feel like I'm missing something simple here, I have an interrupt flow that will work based off of the context-check example, however if the SAML attribute eduPersonAffiliation is not released to the SP in question and I'm trying to check against it, I get the following in the logs.

That's just how it was implemented. The next version includes a separately tracked collection of the unfiltered attributes and most of the internal components will then operate on the unfiltered set.

>It only works if the attribute-filter has eduPersonAffiliation released to the SP, but I want to check that attribute even if it's not released, Can I check against the raw LDAP attribute
> as opposed to the attributes in the SAML profile?

There is no way it will ever operate on raw LDAP attributes. The IdP operates solely on IdPAttributes produced by the resolver and that won't ever change.

-- Scott

More information about the users mailing list